Intrution detection


Published on

Dear Students
Ingenious techno Solution offers an expertise guidance on you Final Year IEEE & Non- IEEE Projects on the following domain
For further details contact us:
044-42046028 or 8428302179.

Ingenious Techno Solution
#241/85, 4th floor
Rangarajapuram main road,
Kodambakkam (Power House)

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Intrution detection

  1. 1. CYBERSECuRITY Intrusion Detection for Grid and Cloud Computing Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall, Federal University of Santa Catarina, Brazil Providing security in a distributed system requires more than user authentication with passwords or digital certificates and confidentiality in data transmission. The Grid and Cloud Computing Intrusion Detection System integrates knowledge and behavior analysis to detect intrusions. B ecause of their distributed nature, usually provides these features, so we propose an grid and cloud computing environ- IDS service offered at the middleware layer (as ments are easy targets for intruders opposed to the infrastructure or software layers). looking for possible vulnerabilities to An attack against a cloud computing system exploit. By impersonating legitimate users, the can be silent for a network-based IDS deployed in intruders can use a service’s abundant resources its environment, because node communication maliciously. is usually encrypted. Attacks can also be invisi- To combat attackers, intrusion-detection sys- ble to host-based IDSs, because cloud-specific tems (IDSs) can offer additional security mea- attacks don’t necessarily leave traces in a node’s sures for these environments by investigating operating system, where the host-based IDS re- configurations, logs, network traffic, and user sides. In this way, traditional IDSs can’t appro- actions to identify typical attack behavior.1 How- priately identify suspicious activities in a grid and ever, an IDS must be distributed to work in a grid cloud environment3 (see the “Related Work in and cloud computing environment. It must mon- Intrusion Detection” sidebar). itor each node and, when an attack occurs, alert Here, we take a careful look at the cloud other nodes in the environment. This kind of case in particular. We propose the Grid and communication requires compatibility between Cloud Computing Intrusion Detection System heterogeneous hosts, various communication (GCCIDS), which has an audit system designed to mechanisms, and permission control over system cover attacks that network- and host-based sys- maintenance and updates—typical features in tems can’t detect. GCCIDS integrates knowledge grid and cloud environments.2 Cloud middleware and behavior analysis to detect specific intrusions.38 IT Pro July/August 2010 Published by the IEEE Computer Society 1520-9202/10/$26.00 © 2010 IEEE
  2. 2. Related Work in Intrusion Detection H ere we present some of the relevant research on intrusion detection for grids, discussing in par- ticular the techniques they apply and the source of they apply behavior-based techniques in the analy- sis. In comparison, we conclude that the available solutions approach the problem in a different way, the data they analyze. especially in regards to the threats we try to de- Table A classifies related work according to the audit fend against by combining two distinct auditing data source (host, network, or grid), the analysis tech- techniques. nique (knowledge- or behavior-based), and if there was a proper evaluation. Fang-Yie Leu, Jia-Chun Lin, References Ming-Chang Li, Chao-Tung Yang, and Po-Chi Shih’s 1. F-Y. Leu et al., “Integrating Grid with Intrusion Detection,” work,1 along with Stuart Kenny and Brian Coghlan’s2 Proc. Int’l Conf. Advanced Information Networking and solutions, are based on analyzing data from a grid’s Applications (AINA 05), vol. 1, IEEE CS Press, 2005, network, although these approaches can’t detect pp. 304–309. grid-specific attacks, because they don’t capture any 2. S. Kenny and B. Coghlan, “Towards a Grid-Wide high-level data. Guofu Feng, Xiaoshe Dong, Weizhe Intrusion Detection System,” Proc. European Grid Conf. Liu, Ying Chu, and Junyang Li integrate a host-based (EGC 05), Springer, 2005, pp. 275–284. intrusion-detection system (IDS) into a grid environ- 3. G. Feng et al., “GHIDS: Defending Computational Grids ment, providing protection against typical operating against Misusing of Shared Resource,” Proc. Asia-Pacific system attacks, but not the ones that might target Conf. Services Computing (APSCC 06), IEEE CS Press, middleware vulnerabilities.3 2006, pp. 526–533. Mohamed Tolba 4 and Alexandre Schulter5 and 4. M. Tolba et al., “Distributed Intrusion Detection System their colleagues view a computational grid as one for Computational Grids,” Proc. 2nd Int’l Conf. Intelligent big host of resources, and the audit data is collected Computing and Information Systems (ICICIS 05), 2005. from the operating systems as in typical host-based 5. A. Schulter et al., “Intrusion Detection for Computational IDSs. Their solutions focus on analyzing high-level Grids,” Proc. 2nd Int’l Conf. New Technologies, Mobility, information regarding grid usage by its users, and and Security, IEEE Press, 2008, pp. 1–5. Table A. Features of related works concerning intrusion detection for grids. Knowledge- Behavior- Host-based Network- Data from based based Author IDS based IDS a grid technique technique Validation Tolba Yes No Yes No Yes Yes Schulter Yes Yes No No Yes Yes Choon No Yes N/A No No No Kenny No Yes No Yes No Yes Leu No Yes No Yes No Yes Feng Yes No No Yes No YesOur Proposed Service policies and suppor ts a ser vice-orientedIn our solution, each node identifies local events environment.that could represent security violations and alerts The service provides its functionality in thethe other nodes. Each individual IDS coopera- environment through the middleware, whichtively participates in intrusion detection. Figure 1 facilitates communication.depicts the sharing of information between the The event auditor is the key piece in the sys-IDS service and the other elements participating tem. It captures data from various sources,in the architecture: the node, service, event audi- such as the log system, service, and node mes-tor, and storage service. sages. The IDS service analyzes this data and The node contains the resources, which are applies detection techniques based on user be-accessed homogeneously through the middle- havior and knowledge of previous attacks. If itware. The middleware sets the access-control detects an intrusion, it uses the middleware’s 39
  3. 3. CYBERSECuRIT Y Grid node Grid node Service Service known trails left by attacks or certain IDS service IDS service sequences of actions from a user who Event auditor Event auditor Analyzer Analyzer might represent an attack. Alert system Alert system The audited data is sent to the IDS Storage service Storage service service core, which analyzes the be- havior using artificial intelligence to detect deviations. The analyzer uses Knowledge Behavior Knowledge Behavior a profile history database to deter- base base base base mine the distance between a typical user behavior and the suspect behav- ior and communicates this to the IDS Grid node service. Service The rules analyzer receives audit packages and determines whether a IDS service rule in the database is being broken. Event auditor Analyzer It returns the result to the IDS service Alert system core. With these responses, the IDS Storage service calculates the probability that the ac- tion represents an attack and alerts the other nodes if the probability is Knowledge Behavior sufficiently high. base base Event Auditor Alert system To detect an intrusion, we need Synchronize audit data describing the environ- Communication service ment’s state and the messages being Service exchanged. The event auditor can monitor the data that the analyzers Database are accessing. The first component monitors message exchange between nodes. Although audit information Figure 1. The architecture of grid and cloud computing intrusion about the communication between detection. Each node identifies local events that could represent nodes is being captured, no network security violations and sends an alert to the other nodes. data is taken into account—only node information. communication mechanisms to send alerts The second component monitors the middle- to the other nodes. The middleware synchro- ware logging system. For each action occurring nizes the known-attacks and user-behavior in a node, a log entry is created containing the databases. action’s type (such as error, alert, or warning), the The storage service holds the data that the IDS event that generated it, and the message. With service must analyze. It’s important for all nodes this kind of data, it’s possible to identify an ongo- to have access to the same data, so the middle- ing intrusion. ware must transparently create a virtualization of the homogeneous environment. Behavior Analysis Numerous methods exist for behavior-based IDS Service intrusion detection, such as data mining, ar- The IDS service increases a cloud’s security tificial neural networks, and artificial immu- level by applying two methods of intrusion nological systems. We use a feed-for ward detection. The behavior-based method dictates artificial neural network, because—in contrast how to compare recent user actions to the usual to traditional methods—this type of network can behavior. The knowledge-based method detects quickly process information, has self-learning40 IT Pro July/August 2010
  4. 4. capabilities, and can tolerate small behavior Resultsdeviations. These features help overcome some We developed a prototype to evaluate the pro-IDS limitations.4 posed architecture using Grid-M, a middleware Using this method, we need to recognize ex- of our research group developed at the Federalpected behavior (legitimate use) or a severe be- University of Santa Catarina.5havior deviation. Training plays a key role in the We created data tables to perform the experi-pattern recognition that feed-forward networks ments with audit elements coming from both theperform. The network must be correctly trained log system and from data captured during nodeto efficiently detect intrusions. For a given intru- communications. We prepared three types ofsion sample set, the network learns to identify the simulation data to test.intrusions using its retropropagation algorithm. First, we created data representing legitimateHowever, we focus on identifying user behav- action by executing a set of known services simu-ioral patterns and deviations from such patterns. lating a regular behavior.With this strategy, we can cover a wider range of Then, we created data representing behaviorunknown attacks. anomalies. To represent anomalous sequences of actions, we altered the services and their us-Knowledge Analysis age frequency. For example, for a teaching depart-Knowledge-based intrusion detection is the ment that posts grades electronically, if two out ofmost often applied technique in the field be- every 100 grades are typically corrected later be-cause it results in a low false-alarm rate and high cause of a mistake, then an anomalous behaviorpositive rates, although it can’t detect unknown would be correcting 10 consecutive grades. Thisattack patterns. It uses rules (also called signa- action would deserve special attention to deter-tures) and monitors a stream of events to find mine whether it constituted an abuse of privileges.malicious characteristics. Finally, we created data representing policy Using an expert system, we can describe a violation. This was prepared with a set of auditmalicious behavior with a rule. One advantage packages containing a series of elements violat-of using this kind of intrusion detection is that ing base rules.we can add new rules without modifying exist-ing ones. Evaluating the Event Auditor In contrast, behavior-based analysis is per- The event auditor captures all requests receivedformed on learned behavior that can’t be by a node and the corresponding responses,modified without losing the previous learn- which is fundamental for behavior Generating rules is the key element in this For each action a node performs, a log entrytechnique—it helps the expert system recognize is generated to register the methods and param-newly discovered attacks. Creating a rule con- eters invoked during the action.sists of defining the set of conditions that repre- In the experiments with the behavior-basedsent the attack. IDS, we considered using audit data from both a log and a communication system. Unfortunately,Increasing Attack Coverage data from a log system—with the exception ofThe two intrusion detection techniques are dis- the message element—has a limited set of valuestinct. The knowledge-based intrusion detection with little variation. This made it difficult to findis characterized by a high hit rate of known at- attack patterns, so we opted to explore communi-tacks, but it’s deficient in detecting new attacks. cation elements to evaluate this technique.We therefore complemented it with the behavior- We evaluated the behavior-based techniquebased technique, which can discover deviations using artificial intelligence enabled by a feed-from acceptable use and thus help identify privi- forward neural network.6 In the simulation en-lege abuse. vironment, we monitored five intruders and five The volume of data in a cloud computing en- legitimate users.vironment can be high, so administrators don’t We initiated the neural-network training withobserve each user’s actions—they observe only a data set representing 10 days of usage simula-alerts from the IDS. tion. Using this data resulted in a high number 41
  5. 5. CYBERSECuRIT Y 6 False positive 5 Number of false positives False negative actions as attacks—there were always and false negatives 4 more false negatives than false posi- 3 tives when using the same quantity of 2 input data. 1 No false alarms occurred when we started the training with 16 days 0 10 12 14 16 18 20 22 24 26 28 30 of simulation, although the uncer- Number of training examples tainty level was still high, with sev- eral outputs near zero. With input Figure 2. The behavior score results. The algorithm had the lowest periods of 28, 29, and 30 days, the number of false positives for input periods with 28–30 days. algorithm showed a low number of false positives, but after several repe- titions, the quantity of false positives of false negatives and a high level of uncertainty. varied, again representing the nondeterministic Increasing the sample period for the learning nature of neural networks. phase improved the results. Evaluating the Knowledge-Based System Evaluating the Behavior-Based System In contrast to the behavior-based system, we used To measure IDS efficiency,1 we considered ac- audit data from both a log system and the com- curacy in terms of the system’s ability to de- munication system to evaluate the knowledge- tect attacks and avoid false alarms. A system based system. We created a series of rules to is imperfect if it accuses a legitimate action of illustrate security policies that the IDS should being malicious. So, we measured accuracy monitor. using the number of false positives (legitimate We collected audit data referring to a route- actions marked as attacks) and false negatives discovery service, service discovery, and service (the absence of an alert when an attack has request and response. The series of policies we occurred). created tested the system’s performance, al- The performance test we designed also eval- though our scope didn’t include discovering new uated the analysis technique’s cost. We per- kinds of attacks or creating an attack database. formed a load test where the program analyzed Our goal was to evaluate our solution’s function- 1 to 100,000 actions. The simulation involving ality and the prototype’s performance. 100,000 actions is hypothetical. It surpasses The rule below characterizes an attack in any the usual data volume and served as a base for message related to the storage service. The func- understanding system behavior in an overload- tions of the rule are as follows: ing condition. An action took approximately 0.000271 seconds to be processed with our 1. At start-up, the rules stored in an XML file setup. are loaded into a data structure. The training time for an input of 30 days of 2. The auditor starts to capture data from the sample behavior took 1.993 seconds. However, log and communication systems. the training was sporadic—we had to plan up- 3. The data is preprocessed to create a data dates to the behavior profile database according structure dividing log data from communi- to a routine in the execution environment (since cation data to provide easy access to each a user’s behavior tends to change with time). element. This helped us identify a convenient period of 4. The corresponding policy for the audit pack- days for determining the profile of a legitimate age is verified. user. Artificial neural networks aren’t determin- 5. An alert is generated if an attack or violation istic, so the number of false positives and false occurred. negatives didn’t represent a linear decreasing progression. We performed a load test for this algorithm Figure 2 shows the results. The neural net- simulating the analysis of 10 to 1,000,000 work tended to avoid identifying legitimate rules for an action. We verified the textual or42 IT Pro July/August 2010
  6. 6. numerical field in comparison to the rules. 7. P.F. da Silva and C.B. Westphall, “Improvements inThe analyzer performed two primary func- the Model for Interoperability of Intrusion Detec-tions: it searched for improper content, and tion Responses Compatible with the IDWG Model,”it compared numerical intervals. Comparing Int’l J. Network Management, vol. 17, no. 4, 2007,100,000 rules for an action consumed 0.361 pp. 287–294.seconds; comparing a million rules consumed2.7 seconds. This suggests that real-time anal-ysis is possible up until a certain limit in the Kleber Vieira is a team leader for a softwarenumber of rules. development company in Brazil and is a member of the Networks and Management Laboratory at the Federal University of Santa Catarina, Brazil. His researchI n testing our prototype, we learned that it interests include information systems, software engi- has a low processing cost while still provid- neering, distributed systems, and security. Vieira re- ing a satisfactory performance for real-time ceived his MSc in computer science from the Federalimplementation. Sending data to other nodes for University of Santa Cataria. Contact him at kleber@processing didn’t seem necessary.7 The individ- analysis performed in each node reduces thecomplexity and the volume of data in compari- Alexandre Schulter is an IT analyst for a Brazilianson to previous solutions, where the audit data is government company. Previously, he was a researcherconcentrated in single points. and software developer at several laboratories in the In the future, we’ll implement our IDS, help- Technological Centre at the Federal University of Santaing to improve green (energy-efficient), white Catarina, Brazil. His research interests include infor-(using wireless networks), and cognitive (using mation systems, component-based systems, softwarecognitive networks) cloud computing environ- engineering, distributed systems, and security. Schulterments. We also intend to research and improve received his MSc in computer science from the Federalcloud computing security. University of Santa Cataria. Contact him at schulter@ H. Debar, M. Dacier, and A. Wespi, “Towards a Tax- Carlos Becker Westphall is a full professor in the onomy of Intrusion Detection Systems,” Int’l J. Com- Department of Informatics and Statistics at the Fed- puter and Telecommunications Networking, vol. 31, no. 9, eral University of Santa Catarina, Brazil, where he 1999, pp. 805–822. is the leader of the Networks and Management Labo-2. I. Foster et al., “A Security Architecture for ratory. His research interests include network man- Computational Grids,” Proc. 5th ACM Conf. Com- agement, security, and grid and cloud computing. puter and Communications Security, ACM Press, 1998, Westphall received his DSc in computer science from pp. 83–92. the Paul Sabatier University, France. Contact him at3. S. Axelsson, Research in Intrusion-Detection Systems: A Survey, tech. report TR-98-17, Dept. Computer Eng., Chalmers Univ. of Technology, 1999. Carla Merkle Westphall is a professor in the4. A. Schulter et al., “Intrusion Detection for Department of Informatics and Statistics at the Federal Computational Grids,” Proc. 2nd Int’l Conf. New University of Santa Catarina, Brazil. Her research Technologies, Mobility, and Security, IEEE Press, 2008, interests include distributed security, identity manage- pp. 1–5. ment, and grid and cloud security. Westphall received5. H. Franke et al., “Grid-M: Middleware to Integrate her PhD in electrical engineering from the Federal Mobile Devices, Sensors and Grid Computing,” Proc. University of Santa Cataria. Contact her at carlamw@ 3rd Int’l Conf. Wireless and Mobile Comm. (ICWMC 07), IEEE CS Press, 2007, p. 19.6. N.B. Idris and B. Shanmugam, “Artificial Intelligence Techniques Applied to Intrusion Detection,” Proc. 2005 IEEE India Conf. (Indicon) 2005 Conf., IEEE Press, Selected CS articles and columns are available 2005, pp. 52–55. for free at 43